Home Explore Blog CI



docker
1st chunk of `content/manuals/engine/security/trust/trust_key_mng.md`
e189363349ed2ee5004c0263b9eff57c6dd308b35c8a167e0000000100000a19
---
description: Manage keys for content trust
keywords: trust, security, root,  keys, repository
title: Manage keys for content trust
---

Trust for an image tag is managed through the use of keys. Docker's content
trust makes use of five different types of keys:

| Key        | Description |                                                                                                                                                                                                                         
|:-----------|:----------- |
| root key   | Root of content trust for an image tag. When content trust is enabled, you create the root key once. Also known as the offline key, because it should be kept offline. |
| targets    | This key allows you to sign image tags, to manage delegations including delegated keys or permitted delegation paths. Also known as the repository key, since this key determines what tags can be signed into an image repository. |
| snapshot   | This key signs the current collection of image tags, preventing mix and match attacks. |                                                                                                                                         
| timestamp  | This key allows Docker image repositories to have freshness security guarantees without requiring periodic content refreshes on the client's side. |
| delegation | Delegation keys are optional tagging keys and allow you to delegate signing image tags to other publishers without having to share your targets key. |

When doing a `docker push` with Content Trust enabled for the first time, the
root, targets, snapshot, and timestamp keys are generated automatically for
the image repository:

- The root and targets key are generated and stored locally client-side.

- The timestamp and snapshot keys are safely generated and stored in a signing server
	that is deployed alongside the Docker registry. These keys are generated in a backend
	service that isn't directly exposed to the internet and are encrypted at rest. Use the Notary CLI to [manage your snapshot key locally](https://github.com/theupdateframework/notary/blob/master/docs/advanced_usage.md#rotate-keys).

Delegation keys are optional, and not generated as part of the normal `docker`
workflow. They need to be
[manually generated and added to the repository](trust_delegation.md#creating-delegation-keys).

## Choose a passphrase

The passphrases you chose for both the root key and your repository key should
be randomly generated and stored in a password manager. Having the repository key
Title: Manage Keys for Content Trust
Summary
Docker Content Trust uses five key types to manage trust for image tags: root, targets, snapshot, timestamp, and delegation. Root and targets keys are generated and stored locally, while timestamp and snapshot keys are generated and stored in a signing server. Delegation keys are optional and must be manually generated and added. Secure passphrases should be chosen and stored for the root and repository keys.